Sounds like the author missed Apple's BlackHat 2016 talk. It goes into lots of technical detail on Cloud Key Vault. Well worth watching -- and a very cool implementation of a secure backup system designed for "adversarial clouds".
It's pretty cool how it retains end-to-end encryption of your keychain while also backing it up to untrusted clouds. Basically it employs Hardware Security Modules that limit recovery attempts to 10 tries before destroying the data, thus protecting against backend brute forcing and allowing you to use your relatively weak device passcode to encrypt the backup. And here's the kicker -- they put the HSM firmware signing keys in a blender so even an adversarial government can't force them to modify them.
Update: I guess he did watch the video (he previously wrote a whole post on it). So I'm not sure what he thinks is missing, or maybe I misunderstood and he's only complaining about non-keychain data encryption.
Or all the clouds might have 'evolved' a few minutes ago to comort with some new apple policy. This is all about trusting a corporation. I still prefer to handle my own encryption, keeping my keys how and where i like.
Matthew Green is a capable cryptographer who engages with the wider security community and practical encryption a lot (e.g. https://blog.cryptographyengineering.com/2016/03/21/attack-o... if you're interested in this kind of thing, I'd recommend following him more closely (e.g. on Twitter.)
Mentioned here: https://9to5mac.com/2016/02/25/apple-working-on-stronger-icl...
The question is, if you trust that iOS and iCloud work the way Apple says they do (under oath), how vulnerable are they to an adversarial cloud. They have designed a system to keep your keychain safe under these conditions.
HSM is a term used exclusively for server hardware, I believe. I know Apple devices (and some Android) use secure enclaves, but I don't believe they are referred to as "HSM"s.
I agree Apple does well in the security arena, but they should do more to prevent software updates without erasing the device if the security key is not available.
That was the part I was arguing with. Apple can get the keys if they were compelled to.
If Apple has access to the data, the government can compel them to turn it over. The whole point of this setup is that Apple doesn't have access to the data, because they can't get the keys, and they can't reconfigure the HSM to give it to them.
Now yes, they could in theory change iOS and push out an update to everyone that breaks the security model. But the government¹ can't compel them to do that. The government cannot compel them to materially change their product and break one of the major advertised features of the device.
¹I'm assuming US government here. The rules would be different in China, but I guess China knows that even they can't compel Apple to break the security model of the device in this way, Apple would rather leave China than do it.
>With one major exception — iCloud Keychain, which I’ll discuss below — iCloud fails the mud puddle test. That’s because most Apple files are not end-to-end encrypted.
The blog post is saying that iCloud backups are not protect from Apple, except keychain backups. So your files, messages, etc are not protected from Apple. And the video you posted seems to only be about keychain backups.
Because apparently China is putting cameras everywhere, and it stands to reason they could have a module that monitors for PIN entry and records it. Even at my workplace in the US I try to avoid entering my PIN near security cameras.
As a side note I think people vastly underestimate how easy it is to capture you typing your password on a phone screen.. especially when you put it in the context of complaining about minor security implications of TouchID or FaceID. I would suggest it's typically much easier to watch you typing a password than to clone your TouchID .
If its been more than 48hrs since you last unlocked the phone or you turned off the phone, it will require your password again.
It's simply harassment, the kind that I would have expected in former Eastern Germany, Poland, Russia or any other state like that.
My amateur understanding is the pin unlocks a hardware “safe” on the device which contains the actual decryption key, requiring physicAl access to the device even if the pin was caught on security cam.
Where Y is any corporation, and X any nation. At this point, I believe any assumption otherwise is naive.
I get that we have “no” or very little privacy now. But I’m wondering if Apple is making it clear to users in the US that their private messages may be siphoned off and exploited by governments of countries they have never been to.
If that were the case, there is no reason why you couldn't provision from to an HSM domain that hadn't had its keys shredded.
The implied architecture is there is a secure element on the phone with a unique key provisioned to it during manufacture - likely one that is derived from one of the HSM keys at Apple. However, since Apple cannot produce this individual device key themselves to do 3rd party device decryption, they must generate keys randomly in SE hardware on the device, using the user PIN as a derivation component - and somehow use SE firmware to set a fuse on the number of PIN tries. I don't know specifically how Apple does this, but the list of secure/viable approaches is short. (edit: unnecessary if they shred hsm keys.)
I don't doubt Apple's integrity on this, given the heat they have taken over it in the west. But an "adaptation" of their infrastructure to serve that regional market wouldn't surprise me either.
I'm skeptical of any scheme, and one that isn't presented in BAN logic tends to mean protocol designers have handwaved over where they are hiding things. Good examples of this notation are here. (http://www.lsv.fr/Software/spore/table.html).
If they have weakened the scheme, the technical ways Apple may have conceded to Chinese requirements, are all discoverable.
Breakable? I doubt that's viable given the security difference is an HSM with shredded keys vs. one where the keys still exist somewhere (probably in a duplicate HSM that operates the decryption service for Chinese govt). So still at least as good as any EMV payment system.
We can speculate about how this is implemented but reality is tech companies while ubiquitous, are not sovereign. Yet, anyway.
Narrow warrants granted by a seperate branch of government in broad daylight is very different from this. And it’s why we need to fight to restore that norm in America. I don’t buy that terrorism is such an exceptional case that we ought to bend due process out of shape.
Ofcourse even back then they never extended FISA to non US citizens. Nobody legislates the CIA.
That's fair for EPA, but Title IX wasn't an Administration proposal or, IIRC, heavily lobbied for by the Administration. Nixon signed it, but it's not really accurate to credit him with passing it. It was proposed and pushed by liberal Democrats in both houses of Congress.
And people don't rag on Nixon for his legislative agenda, but for pervasive abuse of power, including law enforcement and national security resources, for partisan and personal political purposes.
It’s good to see this mentioned. I’m sometimes surprised by the good that Nixon did, despite my overall conclusion that he was unfit for office.
> The true left were to some extent tools of the soviet information warfare effort…
This deserves citation to back it up. Please provide links to credible sources.
Going back to the higher point; I do wonder what the Chinese Govornment's track record on cyber security actually is, compared to what we more usually hear reported.
So it's a lot better if they just plain don't have the power (or at least not total power) in the first place. It's just like in infosec in general: the most secure information is the information that you don't ever have, you cannot be hacked for it or leak it. That's the only surefire way to avoid not merely abuse but even pressure for abuse, and it's here that I think Apple has made a big blunder even vs the rest of the tech industry. Yes the cloud is a big deal nowadays, but Apple's business model is uniquely well suited to supporting full non-cloud distributed usage models in addition as a differentiator from where so many other offerings have gone. It's fine if Apple has their own iCloud and App Store as the core principle source, but if they simply gave individual users and organizations the full and ungated ability to replicate that (in features if not breadth) locally then Apple could simply wash their hands of some of this without hassle (it could even let them get pickier elsewhere since there'd be a separate release valve).
Apple used to be great at this too, back in OS X 10.5/10.6 at least Mac OS X Server had a lot of interesting potential. Easy full mirrors of Software Update, Network Homes and NetBoot/NetInstall were awesome, etc. It's not hard to imagine them having gone further that route, and it's too bad they've kind of half-assed gone the other way despite being weaker at network services then their competitors anyway.
Legislatively from an American perspective this would also be the right way to try to fight back against authoritarian regimes: require American tech companies by law to offer decentralized options for owners of devices, like side-loading. If that's available then it would make the job of authoritarians significantly more challenging.
>Apple has strong data privacy and security protections in place and no backdoors will be created into any of our systems.
iMessage is end-to-end encrypted and has never been blocked in China, while services like WhatsApp are . During the FBI brouhaha, the national security establishment water holders started writing op-eds on blogs like Lawfare suggesting that Apple was being hypocritical in opposing the FBI, alleging that they had already given the jewels away to China . The DoJ basically parroted this in their filings to the court, accusing Apple of this outright (whether or not the op-eds were co-ordinated with the DoJ is unclear). Fortunately, this led to Apple responding to these accusations in their own filings to the court , including this declaration from Craig Federighi under threat of perjury :
>5. Apple uses the same security protocols everywhere in the world.
>6. Apple has never made user data, whether stored on the iPhone or in iCloud, more technologically accessible to any country's government. We believe any such access is too dangerous to allow. Apple has also not provided any government with its proprietary iOS source code. While governmental agencies in various countries, including the United States, perform regulatory reviews of new iPhone releases, all that Apple provides in those circumstances is an unmodified iPhone device.
>7. It is my understanding that Apple has never worked with any government agency from any country to create a "backdoor" in any of our products and services.
>I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct.
Assuming Craig Federighi didn't perjure himself, why has China seemingly made an exception for Apple when it comes to iMessage (or iOS or iCloud)? The answer is that Apple is the only tech company that actually has leverage with the CPC in (indirectly) employing millions of workers in China. People have criticized Apple for taking down the NYT's app or VPN apps in the App Store in China and for not resisting it, but Apple is rightly picking their battles to protect the crown jewels.
Eh, there’s a simpler explanation: Basically bobody uses iMessage in China.
Employing people in China is only leverage is they can readily move production elsewhere (nope, not at that scale).
Not that it counts for nothing but the real issue here is iMessage is just a non issue for China.
So in some way Apple is praying imessages not succeed in China.
I am glad the current privacy issues is not yet a problem in China. But someday Apple will have to deal with it, and unlike US where there is a system of Law to protect companies and Citizen, there isn't one in China. ( At least not by normal Western understanding of "Law" )
-publicly they state that servers need to be in China because they don’t want to hand Chinese citizen data to foreign country. This is nowhere incompatible with iMessage
- privately people suspect that China want to increase mass surveillance to a point even worse than what the USA was already doing with prism. If this is true yes iMessage is incompatible in the long run
Not exactly inspiring.
>Finally, the government attempts to disclaim the obvious international implications of its demand, asserting that any pressure to hand over the same software to foreign agents “flows from [Apple’s] decision to do business in foreign countries . . . .” Opp. 26. Contrary to the government’s misleading statistics (Opp. 26), which had to do with lawful process and did not compel the creation of software that undermines the security of its users, Apple has never built a back door of any kind into iOS, or otherwise made data stored on the iPhone or in iCloud more technically accessible to any country’s government. See Dkt. 16-28 [Apple Inc., Privacy, Gov’t Info. Requests]; Federighi Decl. ¶¶ 6–7. The government is wrong in asserting that Apple made “special accommodations” for China (Opp. 26), as Apple uses the same security protocols everywhere in the world and follows the same standards for responding to law enforcement requests. See Federighi Decl. ¶ 5.
Which you won't be able to easily find evidence for, even if they did do it.
> they should say explicitly and unambiguously what they’ve done
Why would they choose to be guarded and opaque? I think the silence speaks volumes...otherwise, I can't understand why it's pervasive.
Can't they just be clear and transparent and answer the question we all have here and move on?
>Why would they choose to be guarded and opaque?
I mean isn't the answer to this obvious? Sure, Apple could come out and spell this out for everyone, but this is extremely political and Apple is not going to be better served by loudly touting how they are in a privileged position relative to others because they have their own cards to play with the CPC.
> I mean isn't the answer to this obvious?
I thought it was obvious... because they know we won't like the answer. But it seems none of us know. It is really easy, regardless of political harm, to issue statements about data privacy for one country. Not so much for another... making other public statements about citizen data privacy more hollow if they only make them when they think they can. It's a clear case of principles vs money to me.
The question at hand is, if you trust that iMessage/iCloud works as documented, how does an adversarial third party cloud affect it. So far it looks like iMessage and keychain are still secure end to end encrypted. Apple never had the keys to those to begin with.
I think Apple should provide a way to know who you are talking to has changed rather than saying, “trust us”, we won’t do anything bad.
iMessage is very secure. The real question is what would China do if it takes off (no one uses it there).
You can assume that or you can assume that they need the access to the huge market which would be a much higher leverage for China over Apple.
Both not more then thought experiments by people not actually having any insight.
The danger of the Chinese government accessing your data is
1) Non-existent if you didn't declare you're Chinese
2) Not any different than the danger of the US government accessing your data
By the way, since so many of you feel so strongly about your data being stored abroad, don't you think the Chinese should feel the same? Why should they trust their data to a foreign government?
> Why should they trust their data to a foreign government?
The word "government" is creating a false equivalency because it covers a very broad range of entities:
Democratic governments are chosen by their citizens, operate under rule of law, and are dedicated to protecting their citizens rights and welfare, and to democracy and liberty at home and abroad (obviously, they are very imperfect in such things).
The Chinese government is an authoritarian dictatorship, an armed group that seized power ("political power grows out of the barrel a gun") and imposes itself on the people of China, and is dedicated to its own perpetuation.
This is ridiculous equivocation between a democratic society with a rule of law and an authoritarian regime. You're kidding yourself if you don't think the Chinese government has an interest in data owned by foreign nationals that they could gain access to.
A counterargument might be that since Y has no connection to you, Y has less interest in protecting your data from third parties than your own country, X, would.
"The only proper purpose of a government is to protect man’s rights, which means: to protect him from physical violence. A proper government is only a policeman, acting as an agent of man’s self-defense, and, as such, may resort to force only against those who start the use of force. The only proper functions of a government are: the police, to protect you from criminals; the army, to protect you from foreign invaders; and the courts, to protect your property and contracts from breach or fraud by others, to settle disputes by rational rules, according to objective law. But a government that initiates the employment of force against men who had forced no one, the employment of armed compulsion against disarmed victims, is a nightmare infernal machine designed to annihilate morality: such a government reverses its only moral purpose and switches from the role of protector to the role of man’s deadliest enemy, from the role of policeman to the role of a criminal vested with the right to the wielding of violence against victims deprived of the right of self-defense. Such a government substitutes for morality the following rule of social conduct: you may do whatever you please to your neighbor, provided your gang is bigger than his." - from "For the New Intellectual"
I do think that China would look at foreign residents or corporation's data, but they would really have to have a reason to care and this is a kind of moot point since if you had any secret data you cared about, you wouldn't be trusting third party cloud storage anyway.
iCloud Keychain stores the passwords, SSH keys, client side certificates etc for third party sites. That means that sites like Facebook, Google etc would be compromised on the biggest scale in history if Apple were to hand over encryption keys to the Chinese government. Not to mention the national security implications e.g. my work VPN credentials are in iCloud Keychain.
There is no way Apple would be stupid enough to allow this situation to persist without informing users unless they maintained the keys and it was a moot point. Otherwise they are inviting themselves up for all sorts of legal issues. Not to mention people who travel to China for holiday/work purposes.
What's impressive is they've implemented a backup solution for this that still retains end-to-end encryption. They use HSMs to encrypt a keychain "escrow" backup using your device passcode. The HSMs protect against brute forcing and Apple has no way to bypass -- they literally put the firmware administration keys in a blender. It's pretty cool.
Like a lot of Apple employees themselves, considering so much of the manufacturing is there. I would love to be a fly on the wall of their infosec team.
And of course the problem with keychains like this is that surely amongst one of your previous accounts is the password you used for your VPN and/or work email.
Maybe in ten years or more someone (Farris?) will describe the details behind the scenes about the cat-and-mouse, the unexplained outages, etc.
Kai-Fu Lee now says that if you look at China’s behavior over a long horizon—20 or 30 years—it’s clear that the trend is toward more openness. The incidents that led to Google’s retreat were “a perturbation” in this movement, mainly because Chinese leaders had reached their limits. “The next generation will come up in less than two years,” he says. “They’re younger, more progressive, many American-trained, and many have worked in businesses and run banks—they’re going to be more open.”
Was China actually more free in the 90s, or the 00s, or was it just easier to get away with it?
Could you cite any examples? I'm asking about China, not Hong Kong. Every time I ask this question, I am consistently pointed to repression in Hong Kong.